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Abstract 

We propose a quantum-enhanced protocol to authenticate classical messages, with improved 
security with respect to the classical scheme introduced by Brassard in 1983. In that protocol, the 
shared key is the seed of a pseudo-random generator (PRG) and a hash function is used to create 
the authentication tag of a public message. We show that a quantum encoding of secret bits offers 
more security than the classical XOR function introduced by Brassard. Furthermore, we establish 
the relationship between the bias of a PRG and the amount of information about the key that 
the attacker can retrieve from a block of authenticated messages. Finally, we prove that quantum 
resources can improve both the secrecy of the key generated by the PRG and the secrecy of the 
tag obtained with a hidden hash function. 
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I. INTRODUCTION 



The authentication of pubhc messages is a fundamental problem nowadays for bipartite 
and network communications. The scenario is the following: Alice sends a (classical) message 
to Bob through a public channel, together with an authentication tag through a private or 
public channel. The tag will allow Bob to verify if the message he received via the public 
channel has been tampered with or if it is indeed the authentic message, originally sent by 
Alice. A third character. Eve, wants to sabotage this scheme by intercepting Alice's message 
and sending her own message to Bob, together with a false tag which will convince Bob he 
is receiving the authentic message. For instance, one could imagine that Alice is sending 
to Bob her bank account number, to which Bob will transfer some money, and Eve wants 
to interfere in the communication in such a way that Bob will receive her bank account 
number believing it is Alice's one, thus giving his money to Eve. The use of authentication 
tags allows to separate the secrecy problem in message transmission from the authentication 
problem and it is useful even if a secure communication channel is available 

In 1983, G. Brassard proposed a computationally secure scheme of classical authentication 
tags based on the sharing of short secret keys Brassard's scheme is itself an improvement 
of the Wegman-Carter protocol Q. Brassard showed that a relatively short seed of a PRG 
can be used as a secret key shared between Alice and Bob which will allow the exchange 
of computationally secure authentication tags. This method yields a much more practical 
protocol, where the requirements on the seed length grow reasonably with the number of 
messages we want to authenticate, as opposed to the Wegman-Carter proposal. 

The security of PRCs is based on the alleged hardness of some problems of number 
theory, e.g., the factorization of a large number with classical computers. However, several 
of these problems are provably solvable if quantum computers are available. Consequently, 
the security of the PRCs might be compromised. Assuming Alice and Bob communicate 
quantically, can Eve yet menacing the PRG security? This question is our main motivation 
to write this article. 

In this work, we extend Brassard's protocol to include quantum-encoded authentication 
tags, which we prove will offer, under certain conditions, information-theoretical security for 
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the authentication of classical messages. We observe that our scheme can authenticate the 
quantum channel itself, which is an important part of the quantum cryptography: in fact, 
it is the crucial first step of quantum key distribution protocols. 



II. PRELIMINARIES 



In this section we set up basic notation, briefly review the description of the Brassard's 
protocol and describe our new proposal. We conclude the section with a negative result 
on the robustness of an attackable PRG when its output is hidden by a specific quantum 
coding. 

We denote M. the set of messages and T the set of tags, where log|A^| >> log|T|. 
As hash functions are an important ingredient for all protocols described here we start by 
presenting their formal definition 



Definition II. 1 (e — almost strongly universal-2 hash functions) Let Ai and T he 

finite sets and call functions from M. to T hash functions. Let e he a positive real numher. 
A set Ti of hash functions is e— almost strongly universal-2 if the following two conditions 
are satisfied 

1 ) The numher of hash functions in % that takes an arhitrary m E to an arhitrary 
t E T is exactly IHI/IT]. 

2) The fraction of those functions that also takes Y' ^ Y in M. to an arhitrary T' E T 
(possihly equal to T) is no more than e. 

The number e is related to the probability of guessing the correct tag with respect to an 
arbitrary message Y . Notice that the smaller e is, the larger is \'H\. For additional details 
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FIG. 1: Brassard's classical authentication protocol 
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on universal-2 functions we point the reader to ^ . Brassard's protocol (see Figure [T]) makes 
use of two secret keys. The first one, U^''\ specifies a fixed universal-2 hash function h E T-L, 
where / = [log ["HI] . The second specifies the seed X^"^^ E Zg, for a PRG, a sequence of n bits. 
The main ingredient of our first quantum-enhanced protocol proposed here (see Figure is 
replacing the classical gate XOR of Brassard protocol by a quantum encoder similar to that 
used in the BB84 protocol After some developments, we shall verify that the key U^''^ 
is no longer necessary. Assume that Alice and Bob agree on two orthonormal bases Bq and 
Bi for the 2-dimensional Hilbert space, 

5o = {|0), |1)} and B, = = ^(|0) + |1)), h) = ^(|0) - |1)) 

These bases will be used to prepare four quantum states. We shall refer to this preparation 
process as quantum coding. For each bit of the k = [log |T|] bits long tag Ty = h{Y), Alice 
prepares a quantum state = {Xi, (Ty)j) determined by the bit Xj from the PRG and 
the corresponding bit (Ty)j of 2-radix representation of the tag Ty. Then, if the bit Xi = 0, 
Alice prepares using basis Bq, such that 



if (Ty), = 
if (Ty), = 1. 

Similarly, if the bit X^ = 1, Alice prepares I?/') using basis Bi, such that 

if (Ty), = 
if (Ty), = 1 



(1) 




(2) 



After the qubits generation, Alice sends the separable state \iPy)^'' to Bob through a noiseless 
quantum channel and the message Y through an unauthenticated classical channel. At the 
reception. Bob performs measurements to obtain a sequence of k bits from the quantum 
encoded version of h(Y). For the i-th received qubit. Bob measures it using the basis Bq 
or Bi depending on the i—th bit of X is or 1, respectively, recovering a k-hit long string 

r = h' (1^)^'=). 

Because the quantum channel is assumed to be perfect. Bob recognizes that the message 
is authentic if h' = hiYs), where Yb is the message received from the classical channel. 
Otherwise, Bob assumes that Eve tried to send him an unauthentic message. This concludes 
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the authentication protocol for one message. Throughout this article it is always assumed 
that the above coding rule is public. 

Even though we assume a noise-free quantum channel, we observe that if the quantum 
channel is noisy, the only piece of information requiring error-protecting coding is the block 
of bits (ry)j of the tag Ty. The sequence of bases to be prepared by Alice and Bob is 
known a priori, determined locally by the sequence of bits from the PRC A future task is 
evaluating the effects of the utilization of error-correcting codes to the bits of Ty. 
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FIG. 2: First proposal of quantum-enhanced authentication scheme 



In a warning against alleged collective attacks, we notice that our analysis allows Eve 
to make general procedures (suggested in Figure [2] by the block labeled POVM) without 
being detected. Our results are robust to such powerful and unrealistic assumption for the 
attacker. Note that our quantum scheme aims at minimizing the key length for one-way 
transmission. Another example of such an approach is given in 15|. Next we focus on 
crucial aspects of the PRCs. 



Weak pseudo-random generators 

Clearly, it is important to understand how secure the authentication code described above 
is. As we shall see, the security of the authentication code is deeply related with to quality 
of the pseudo-random generator. The quality of a pseudo-random generator is evaluated 
by the hardness to discriminate its pseudo-random sequence output from a truly random 
sequence or by the hardness to find its seed. The first quality evaluation relates to the PRCs 
robustness against distinguishing attacks, the second relates to the so-called state recovery 
attacks. In |8[ it is shown that a state recovery attack is a subclass of the distinguishing 
attacks. 



5 



As a matter of fact, if the pseudo-random generator can be attacked by a quantum 
computer so does the authentication code. To set this result we refer to Figure [3l that 
describes a simple scheme to assist us the proof. In this scheme, we simply allow Eve to 
compare a sequence {Yj} of classical bits with the corresponding sequence {Zi} obtained 
from the measurement apparatus POVM. 

Recall that a pseudo-random generator is a polynomial-time family of functions G = 
{Gn : Z2 X N — 7- Z2}„gN where Z2 is the set {0, 1} and Gn is the pseudo-generator for seeds 
with size n, that is, Gn{X'^'^\i) returns the i-th bit generated from n bits long seed X^^\ 
Pseudo-random generators are expected to fulfill an indistinguishability property that we 
will not detail here for the sake of simplicity (more details on |7|). In the following definition 
we write X^^") = (G(X("), ii), ia), • • • , to denote a subsequence of 

p{n) (not necessarily contiguous) bits generated by G. 

Definition II. 2 We say that a pseudo-random generator G is attackable in ( quantum/proba- 
bilistic) polynomial time if there exists a (quantum/probabilistic) polynomial time algorithm 
P and polynomial p such that if P is fed with a subsequence of p{n) (not necessarily con- 
tiguous) generated bits of G we have that: 

i7(X(")|P(XP("))) G 0(2""). 

For a pseudo-random generator to be attackable, there must exist an algorithm (quantum 
or probabilistic) that receives a subsequence of p{n) generated bits (not necessarily contigu- 
ous) and is able to compute the seed up to a negligible uncertainty. We observe that the 
security/randomness of the pseudo-random generator can not be grounded in the fact that 
the attack can only be performed to a contiguous subsequence of generated bits. This is 
due to the fact that the generator could always hide some bits if the attack required this 
type of sequences. A simple example of a pseudo-random generator that can be attackable 
in polynomial time are the pseudo-number generators based on linear congruence ^. 

Theorem II. 3 If a pseudo-random generator G is attackable in (quantum/probabilistic) 
polynomial time then the scheme presented in Figure [3] is not secure in polynomial-time for 
a quantum adversary that has access to Y = {Yj}. 

Proof. Since G is attackable there exists a quantum polynomial time algorithm P and a 
polynomial p such that if P is fed with p[n) bits of the string X generated by G then P 
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FIG. 3: Auxiliary scheme for Theorem III.3I proof 

computes (up to negligible uncertainty) the seed X^"'^ of G. So it is enough to show that 
Eve, upon capturing the qubits generated by QC, is able to recover (with non-negligible 
probability) p{n) bits of X. 

Indeed, assume that Eve has captured 8p{n) qubits : 1 . . . 8p{n) and has measured 

them in a random basis (that is, either the computational or the diagonal basis). Eve can 
now verify if Zi = Yi. If this occurs Eve does not now if the basis chose to encode the Yi bit 
was the basis she measured or if she got with | probability the correct bit due to encoding 
in the other basis. However, if the outcome is different (that is, Y^ ^ ), then she knows 
that the basis at the i — th bit is the basis she did not choose the measure, because no 
mismatch would be possible if the encoding was performed with the same basis. In the 
latter case, she knows that Xi is either or 1 depending if she measured in the diagonal 
or the computational basis, respectively. Moreover, this happens with 1/4 probability. So 
the probability of Eve not obtaining p{n) elements of X by measuring 8p(n) qubits is given 
by the cumulative function of a binomial distribution with 1/4 Bernoulli trial, 8p(n) trials 
and success of at most p{n). By Hoeffding's inequality this probability is upper-bounded 
by exp ^_2 )j = exp(— 2j)(?t,)) which decreases exponentially with ra, and so in 
other words. Eve has an exponentially increasing probability of obtaining p{n) bits of X 
with 8p(?7,) qubits measurements. Since G is attackable by knowing p{n) bits of X, Eve is 
able to perform this attack up to negligible probability. □ 

Corollary 1 If a pseudo-random generator G is attackable then the scheme presented in 
Figure [2] is not secure in polynomial-time for a quantum adversary that has access to hash 
function h. 

Proof. Eve is able to calculate h{Y) from Y that is public. Therefore she can apply 
Theorem II 1. 3 1 by observing a number of tags such that A^log |T| > 8p(n). □ 
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Although Theorem III.3I points that the quantum coding of Figure [3] is not better asymp- 
totically than the classical coding (where we simply replace the quantum coder QC by a XOR 
gate), it seems harder to attack the quantum scheme. We will now show that this is true 
for the simple case where the encoder is fed by an independent and identically distributed 
(i.i.d.) Bernoulli sequence. The following example illustrates that this is true even for a 
very simple generator. 

Example II. 4 (State Recovery Attack for Linear Congruential Generator (LCG)) 

Let A be a positive integer and the set of integers modulo A. The seed of the LCG is 
the vector X^"'^ = {A, sq, a,b), where so,a,b E Za- The length of the seed is n = 4[logyl]. 
A binary pseudorandom sequence with length x [log A] bits is obtained from the 2-radix 
expansion of the sequence s = {si, S2, ■ ■ ■ , sn} created by the following recursion: 

Si = asi^i + b mod A, i = 2,3, . . . , N (3) 

It is well known (see jsj) that for all i, i = 1, 2, . . . , A^ — 3, the numbers 



det 



Si Sj+i 1 
Si+l 1 
Si+2 Sj+s 1 



are multiple of A. As a consequence, the greatest common divisor GCD of some gives 
the value of A. The rest of the seed, that is a, b and sq, follow then from a system of linear 
equations. In practice five values of 6i are enough. 

Figure St^ right) displays a simplified version of the scheme shown in Figure [3l where X 
stands for the pseudo-random sequence from the output of the PRG. The left side of Figure H] 
displays the situation when a gate XOR is utilized. We notice that the state recovery attack 
is applicable without change to the XOR-based scheme. It is enough to compute X = Z (BY 
before applying the algorithm. In contrast, for the quantum scheme. Eve is submitted to 
an irreducible uncertainty on the X values due to quantum coding. In particular, if she 
employs the procedure described in the proof of the Theorem III. 31 it is expected only one 
fourth of the X's are expected to be correct. The problem from Eve's point of view is how 
to solve the seed from a degraded version of the algorithm input X. 
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III. COMPARING XOR WITH QUANTUM CODING 



In the last section we have considered the problem of the state recovering attack and 
defined the weakness of a PRC In this section we make a rigorous comparison between the 
XOR and the quantum coding performances using information-theoretical measures. To this 
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FIG. 4: XOR (left) and quantum coding (right) 



end consider Figure H] where both classical and quantum encodings are displayed. The QC 
denotes the quantum encoder defined before, in ([1]) and ([2]), where X is the variable that sets 
the basis. The block POVM stands for the measurement apparatus defined by the positive 
operator-valued measure 

Z = {EmiY)}m,zO 

where O is the set of outcomes. Observe that the measurement may depend on the message 
Y, which is public. The goal of Eve is to maximize the knowledge of X, that is, minimize 
the entropy H{X\Y,Z). 

We consider the classical and quantum scheme presented in Figure |4]in two ways: Firstly, 
we will assume that X is a sequence of fair and independent Bernoulli random variables, 
that is, the PRG describing X is perfect. Secondly, we consider a biased PRG (unfair) to 
describe X and introduce blocks of random variables into the analysis. 



Fair input single-sized block 

We start with the simple case of a single-sized block and where X ~ Ber (|). In the 
classical XOR encoding case we have that Z = X (BY and thus H{X\Y, Z) = 0, and so Eve 
has no doubt about X. In the quantum encoding case, the Holevo bound states that 

I{X;Z\Y) < S{p{Y)) -i2lsmY)){MY)\) (4) 

1=0 
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where p(Y) is the density operator describing the encoding by QC that is 

piY) = l\MY)){MY)\ + l\MY)){MY)\, (5) 



where |0o(O)) = |0), |0i(O)) = |+), |0o(l)) = |1) and |0i(l)) = |-). 



a 



We shall need a well known property of the von Neumann entropy (see for more 
details). 

Proposition III.l Let p be a quantum state and S{p) its entropy, then S{p) > 0, and the 
equality holds iff p is a pure state. 

Thus, thanks to Proposition IIII.ll we can simplify (jl]) to 

I{X;Z\Y)<SipiY)). (6) 

Moreover, one can compute easily the von Neumann entropy of S{p(Y)) = S{p{0)) = S{p{l)) 
and is 

S* = S{p{Y)) = -2cos^ (^) log (cos (^)) - 21og (sin (0) sin^ Q . (7) 

And so, since H{X\Z,Y) = H{X\Y) - I{X;Z\Y) and H{X\Y) = 1, the minimum uncer- 
tainty that Eve may attain about X is given by 

H{X\Y,Z) = l-S{p{Y)). (8) 

id, pp.421] 



The Holevo bound can be achieved by a simple von Neumann measurement 
described by the Hermitian 

A = 0\i>e){H + Mi^e){i^e\ (9) 
with ipg = cos(^)|0) + sin(0)|l), = sin(^)|0) - cos(e)|l) and 9 = -|. 

Fair input fe-blocks 

First, consider the classical setup, then H{X^\Y'' , Z^) = , since the block X'' is com- 
pletely determined from the knowledge of and Z^. 

For the quantum setup, the subsystem that Eve owns is described by 

Py^ = (g) (l\MY.)){MYi}\ + ^-\MYi)){MYi}\) . (10) 
i=l ^ ^ 
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By the Holevo bound we get that 

H (X^|F^ Z^) > H{X'') - S{pYk). (11) 

Example III. 2 Table [T] illustrates the scenario for k = 2. Rows are indexed by the four 
possible values of and columns are indexed by the bases corresponding to the four values 
of X^. Notice that Eve is not able to distinguish which column is being used. Then, her 
uncertainty is lower bounded by the von Neumann entropy of the quantum system formed 
by states listed in row indexed by the values of Y"^ that she can access. 

TABLE I: Encoding for blocks of length 2 





Bases 




Bo Bo 


BqBi 


BiBq 


BiBi 


00 


|00) 


|o+) 


1+0) 


I + +) 


01 


|01) 


|0-) 


1 + 1) 


I + -) 


10 


|10) 


ll+> 


1-0) 


I-+) 


11 


111) 


ll-) 


1-1) 





Recall the following property concerning the von Neumann entropy. 

Proposition III. 3 Let p and a be quantum states, then S {p® a) = S{p) + S{(j). 

As a consequence of Equation ([TUj) and Proposition 1111.31 for a sequence of fair BernouUis 
we have 

S{pYk) = kS*, (12) 
where S* is given by ([8]). So we have that 

H {X''\Y'',Z'') >k-kS*. (13) 

Again, the equality can be achieved by a simple von Neumann measurement, namely that 
defined by A'^^. This is the best scenario one can imagine to defeat Eve. However, for 
the protocol to be practical, the X's should be generated by a PRG, which is the case we 
examine next. 
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Unfair input /c-blocks 

The results above where obtained assuming that {Xi} was a sequence of i.i.d. fair 
Bernoulh random variables. In this section we study the general case, with the purpose 
of clarifying how the use of a real PRG affects the uncertainty about X. 

Consider /c— length blocks X^, and , where X^ = Xj+i, . . . , Xi^k is a contigu- 
ous subsequence of {X^} and similarly to Y'' and Z'^. Note that, to ease notation, we omit 
the index i in defining X'^. However, it is crucial to remark that the probability distribution 
of X^ is, in general, dependent on i. As a matter of fact, px^ = {po,P2, ■ ■ ■ ,P2''-i) can 
even degenerate to a distribution with a single component equal to 1, depending on the 
robustness of the PRG. We shall simplify the notation denoting by p. 

Concerning the unfairness of {^i}, the best strategy for Eve to get information from X^ 
is to prepare a measurement (POVM) over the all k qubits sent, given that she knows Y'^. 
Again, the Holevo bound gives us 



H Z^) > H{X'') - S{pYk) = H{X^) - H{\) (14) 

where A = (Ai . . . A2fe) is the spectrum of pyk and 

2*-l 

Pyk = ^Pj\(t)j){(t)j\ (15) 

i=o 

where the states = '^i=i\(f>ji{Yi)) and ji is the i-th bit of the binary representation of j. 
Note that pyk is a mixture of pure states weighted by the probabilities pj, j G {0, . . . , 2^^' — 1}. 
Accordingly, we write pj = Pr[X^ = j] where j is seen in its binary representation (e.g., for 
k = 2, po = Pr[X2 = 00], pi = Pr[X2 = 01], . . .). Observe that S{pyk) = S{pyk) since 
there exist a unitary transformation U such that UpykU^^ = pyk. 

We now establish a relationship between the probability vectors p^fe and the lower bound 
given in Equation ( fT4l) . 

Denote by p the uniform distribution, that is, qj = 1/2^, j = 0, . . . , 2^ — 1. In this section 
we shall verify that if the probability distribution of a block from the PRG, say p, is 
near enough the distribution p, for a block of size k, then the lower bound of iHM will be 
kept significantly near of k — kS*, which is the best one can achieve. 

Let cxyfc be the density operator corresponding to a fc— length block X^ generated by a 
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fair Bernoulli sequence given that the /c-length block is known, that is 

2^-1 

ayk = ^qj\(i)j){(t)j\. (16) 

j=0 

In this section we establish some results relating von Neumann entropy with the trace 
distance D (pyk, ayfc) between pyfc and cryfc. Recall that the trace distance between two 
quantum states p and a is defined by 

D{p,a) = itr |p- (t| 



where \A\ = vAJA. We shall also need the trace distance between probability vectors, say 
a and b, defined by 



2 

j 



The trace distance can be used to measure how biased a probability distribution is com- 
pared to a fair Bernoulli sampling. Given a probability distribution p, we call the bias of p 
the value -B(p) = D{p,p) where p is the uniform distribution. 

Proposition III. 4 Let e > be an arbitrary real number. If 

Bip)<e (17) 

then 

D {pyk^ayk) < e (18) 
where py* is the state defined in Equation ( |T5|) . 

Proof. Denote 7j = \(t>j){(t>j\- From the strong convexity of the trace distance we have: 

i=o j=o / i=o 

= D(p,p) (20) 

which concludes the proof. □ 

In the proof of the next proposition we shall apply Fannes' inequality (see [l^ for more 
details about this equality): 

\S{p) - S{a) I < 2D (p, a) In (^^^) (21) 

where it is assumed that D{p,a) < l/(2e) and is the dimension of the Hilbert space 
dimension where the states live in. 
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Theorem III. 5 If the conditions in Proposition IIIL41 hold, that is, if -B(p) < s, then 

\H{X'')-S{pY>^)-{H{X'')-S{ak))\ = |5(py.)-5K)| (22) 

< 21n2(A: - l)e + 2dn^. (23) 

Proof. Observe that the function — xlnx is monotonous in the interval (0, 1/e). Therefore, 
assuming < e < 1/e and for N = 2^^, we have: 

(a) 2*^ 
IS* (pyfc) - S (o-fc) I < 2D{pYk,ak)ln- 



2D{pYk,ak) 

2\n2ik - l)D(py., (Tfc) + 2D(py., afc)ln-— i ^ (24) 

U[pYk,ak) 

(c) 1 

< 21n2 {k - l)e + 2eln- (25) 

e 

where (a) results from Fannes' inequality, (b) is due to logarithm properties and, (c) is due 
to Proposition IIII.41 □ 

This result states that if a PRG is such that the probability distribution of its output X'^, 
say, p (possibly conditioned on the past), is near enough the fair distribution p, then Eve's 
uncertainty is kept near the maximum H (X'=|r^ Z^) = k- kS* (see Equation ([13])). 

Note that the distribution of p is induced by the random secret seed of the PRG, X^^\ 
which is chosen with uniform distribution. Consequently, any practical use of Equation (l23ll 
will depend on the Eve's capability to estimate that distribution and clearly, on the PRG 
being used. For instance, suppose we want to upper bound the right side of f l23|) with a given 
tolerance defined by a positive real number 6. After some simple algebraic manipulation we 
obtain that 

21n2 \e ) \n2 ^ ' 

For the case of e = 5 we get the simple bound 

1 ln(i) 1 (i)_l 1 

k<l + - < 1 + + ^ < 1 + . (27 

21n2 ln2 " 21n2 ln2 " eln4 ^ ' 

Additionally, when the conditions of Proposition IIII.41 hold, that is, for bias -B(p) < 
we can rewrite ( l26l) as 

^ < ^ + 21n2 U(P) ; ln2 ' ^ ^ 
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Note that the right-hand side of (l28ll approximates (bm) -^(p) ^^nds to zero. In 
detail, Equation fl28|) . at the hght of Theorem Illl.St provides a way to compute the largest 
block whose uncertainty remains near k — kS* (up to e), given an upper bound of the bias 
of p. However, a word of advice is necessary: from its very definition, p depends on k and 
also on the position i the block start, because X'' = Xi+i, ■ ■ ■ i^i+k- So, the use of 
Equation fl25]) to establish a bound of a secure block relies on a bias difficult to compute for 
standard PRCs. 

The following corollary clarifies the meaning of Theorem IIII.5I from an asymptotic point 
of view. 

Corollary 2 Given a PRG, let p be the probability distribution of a /c-length generated 
block, and let f{k,n) and g{n) positive functions such that: 

• limn^oo g{n) = +00 

• \imn-:,oo g{n)f{g{n),n) = 0. 

Then, if B{pprg) < f{k,n) and k < g{n), 

lim IS* {pYa(n)) - S ((Tgin)) | = 0. 

71— >00 

We now discuss the results above. The idea is that n is the size of the seed of the PRG 
and k is the size of the block. If one chooses k < g{n) for some g and the bias of the PRG is 
smaller the f{k,n) for some / fulfilling the conditions of Corollary [21 then the information 
Eve can retrieve from blocks of size g{n) is as close to the ideal case as desired, just be 
choosing a larger n. A good PRG is one for which n « g{n), so that the block size could 
be larger than the seed and still, little information about the seed is revealed. 

In the next section we make a comparison between classical XOR and quantum QC Bras- 
sard's schemes for authentication of classical messages. 

IV. IMPROVING KEY-TAG SECRECY 

In the last section we compared Eve's equivocation on X for the XOR and QC schemes when 
she has access both to the message Y and its quantum encoded version, which she observes 
from the quantum channel. We concluded that the equivocation is kept above some lower 
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bound depending on the quality of the PRC In this section we include a hash function h in 
the scheme (see Figure [5]) in such a way that Eve only accesses the public message Y and 
the quantum encoded version of the tag T = h{Y). Thanks to that modification we shall 
demonstrate that is feasible to improve the secrecy of the key and of the tag simultaneously. 

By information-theoretic secrecy, as usually, we mean I{W; V) = + 0(2~") or equiva- 
lently, the equivocation H{W\V) = H{W) — 0(2"'^), where W is the secret to be protected 
and V is the piece of data available to the eavesdropper. Our derivations will focus in 
the equivocation H{W \ V) to measure the quality of the scheme. Then, the information 
to be protected is W = (T,X^^ and the information available, from Eve's viewpoint, is 
V = (Y, Z). We investigate the uncertainty of the tag H(T \ Y, Z) and the uncertainty of 
the key H{X^ \ Y, Z). We assume that X'', is independent of the message Y and that the 
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FIG. 5: Authentication scheme with a single key X^"^ 



hash function is selected from the e— almost universal-2 class of hash functions, which we 
refer in the following just as hash functions. 



Modified classical case 



Consider a simple modified setup where a XOR gate is taken in place of the QC block in 
the scheme displayed in Figure O 

If {Xi} is a fair Bernoulli and a A;— block of bits such that k = max{ [log |T|] , [log I'Hl] } 
it is utilized per message, then the scheme turns to be equivalent to the Wegman-Carter 
one-time pad scheme. Indeed, in this situation h is in fact drawn uniformly from Ti, then 

H{T,X^\Y,Z^) = H{T\Y,Z^) + H{X''\T,Y,Z^) (29) 
H{T\Y,Z'') (30) 
= H{T\Y) (31) 
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= log I r I . (32) 

Where equality (a) is due to chain rule for Shannon entropy, (6) is due to the fact that in the 
classical setup X'^ = T (BZ^. The equality (c) is harder to obtain, indeed it follows from the 
properties of the e— almost universal-2 class of hash function. Note that T = hxk{Y) has a 
uniform distribution. Moreover T\x^ = h^k{Y) has also uniform distribution, and therefore, 
T is independent of Since = Y) we have that H{T\Y, Z^') = H{T\Y). Equality 

(d) is also due to the properties of hash functions. On the other hand, if {Xi} comes from a 
PRG, the Eve's uncertainty on the tag can, eventually, decreases by observing the random 
variable Z''. Indeed, in general, H (T\Y, Z^^ < H (T\Y). Consequently, unconditional 
secrecy relative to T, H{T\Y, Z^) = log |T| cannot be assured. 

Uncertainty of the tag in the quantum case 

In this subsection we introduce a condition to attain unconditional security of the tag in 
terms of conditioned mutual information between T and the /c— block of bits of the key. 

Proposition IV.l If I [T; X''\Y, Z'') = H{T) then the tag is secure in the information 
theoretical sense, that is, H{T\Y^ Z^) = H(T). 

Proof. 

From the standard chain rule of Shannon entropy we have: 

H (T, X^' I F, Z'') = H{X^\ F, Z^) + H [T \ X^ F, Z^) (33) 
= H (T|F, Z^) + H [X^\T, y, Z^) . (34) 

Then, comparing ( |33l) and ( !34l) we obtain 

H{T\Y, Z'') = H (T|X^ Y, Z^) + 

H {X^\Y, Z^) - H {X^\T, r, Z^) (35) 

= H (T|X^ F, Z'') + / (T; X^\Y, Z^) (36) 

I {T-X''\Y,Z^) (37) 

Where (a) is due to a simple manipulation of (133!) and (&) is definition of mutual 

information and (c) follows because the hash function is determined by X^ and so, then 
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T = h{Y) is immediately calculated. That is, H{T\X\ Y, Z^) = H{T\X^, Y,T = h{Y)) = 0. 
The results follows from fl37|) . □ 

Eq. fl37l) clearly indicates that in order to increase Eve's uncertainty about T we must max- 
imize the mutual information between the block X'' and the tag T. This is the information- 
theoretical hint that motivates the scheme presented in Figure O Note that in this case we 
make the tag T depend of X'^, increasing thus their mutual information. In Brassard scheme 
(see Figure [ID the hash function is fixed in the beginning, and therefore I (T; X^\V') = 
where V is the observation that Eve can perform in Brassard's scheme. 

It is remarkable to be possible to attain unconditional security of the tag using non-fair 
Bernoulli for X with the proposed of Figure [51 This fact is in sharp contrast with the 
classical setup for which only Bernoulli sequences can assure that requirement. 

Thus, a good approximation is to use PRG for the sequence of X, and the mutual 
information /(T; Z^) is as high as the PRG is unbiased, since that mutual information 

is mediated by the random variable Z''. 

It is clear that, if we are dealing with real PRGs (that do not generate a sequence of fair 
Bernoullis), then the conditions of Theorem IIII.5I should be considered in order to evaluate 
the number of messages that can be authenticated before leaking too much information. 
Another possibility to apply the scheme of Figure [5] is to spend just k = log |T| key bits 
per message to protect the current tag. This approach is similar to Brassard's scheme, but 
improves it since the tag is protected by the quantum coding. Observe that as log|T| < 
log I "HI, this scheme is less costly in terms of key consumption. 

Uncertainty of the key in the quantum case 

In this case, the bounds derived in Section IIIII remain valid, namely the inequality f lT^ 
that we recall 

H (X'=|r^ Z^') > H{X'') - S{pYk) = H{X'') - H{X). (38) 

In this case, since the measurement is on the quantum encoding of the tag, and not on 
the quantum encoding of Y, the uncertainty is greater than that of the case discussed in 
Section lllli 

So, with the scheme of Figure [5], not only we obtain a high equivocation about the tag, 
but we also increase the uncertainty of the sequence X'' and, therefore, also of the seed X^"'^ 
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of the PRC Observe that Theorem IIII.5I and inequahty [26] are also vahd for this scheme, 
and can be used to get bounds about the size of k for which a threshold of information is 
leaked to Eve. 

V. SUMMARY 

In this work we have investigated how quantum resources can improve the security of 
Brassard's classical message authentication protocol. We have started by showing that a 
quantum coding of secret bits offers more security than the classical XOR function introduced 
by Brassard. Then, we have used this quantum coding to propose a quantum-enhanced pro- 
tocol to authenticate classical messages, with improved security with respect to the classical 
scheme introduced by Brassard in 1983. Our protocol is also more practical in the sense 
that it requires a shorter key than the classical scheme by using the pseudorandom bits to 
choose the hash function. We then establish the relationship between the bias of a PRG 
and the amount of information about the key that the attacker can retrieve from a block 
of authenticated messages. Finally, we prove that quantum resources can improve both the 
secrecy of the key generated by the PRG and the secrecy of the tag obtained with a hidden 
hash function. 
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